b'                                                         U.S. OFFICE OF PERSONNEL I\'vIANAGEMENT\n                                                               OFFICE OF THE INSPECTOR GENERAL\n                                                                                OFFICE OF AUDITS\n\n\n\n\n                                     Final Audit Report\n\nSubject:\n\n\n  AUDIT OF THE INFORMATION TECHNOLOGY\n          SECURITY CONTROLS OF THE\n  U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n  Center for Talent Services General Support System\n                       FY 2011\n                                              Report No. 4A-CI-00-J 1-043\n\n\n                                              Date:                    9/28/11\n\n\n\n\n                                                              --CAUTION--\nThis audit ~port ha~ bun dj~tribultd to hdfr~1 offid~ls l\'ho are re~JHlDlible for the IIdmi"i~lrIlCi!lD of the Nudited program. Thi~ audit\nrt-port llIay tontoin propriehlry Iblll .. hich i~ protected b~- t"edenlla .. (18 L.S.C. 1\\105). Th~refore ... hill\' Ihis audit report iSIIHlilable\nunder the Fr~dom ollnforln>uion ACIIlnd mydc a\'-ailable 10 the public 00 the OIG wtbJlll~c. CllIlIian neell~ 10 ~ exercised ocrurc\nrdcuing Ihe report to the g(ocrfli public as it may (onlllin propricUry inrorollilion that \'filS I1!da(led from the publicly di stributed copy.\n\x0c                            UNITED STATES OFFICE OF PERSONNEL MA NAG EMENT\n                                             Wa, hington, DC 204 15\n\n\n  Of1i~\'c   (If   th~\nIn \'JXcior G" nc ral\n\n                                             Audit Report\n\n                              U.S. OFFICI: OF PI:RSONNEL MANAGEMENT\n\n\n                         AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                            CONTROLS OF THE U.S. OFFICE OF PERSONNI:L\n                        MANAGEMENT\'S CENTER FOR TALENT SERVICES GENERAL\n                                         SUPPORT SYSTEM\n                                             FY 2011\n\n                                         WASllNGTON, D.C.\n\n\n\n\n                                     Report No. 4A-CI-OO-ll-043\n\n\n                                     Date:             9/28/11\n\n\n\n\n                                                                      Michael R. Esser\n                                                                      Assistant Inspector General\n                                                                        for Audits\n\x0c                           UNITED STATES OFFICE OF PERSONNEL MANAGEME NT\n                                                 Wash ington. DC 20415\n\n   O ffi ce of the\nInsp\'-dDr General\n\n                                           Executive Summary\n\n\n                               U.S. OFFICE OF PERSONNEL MANAGEMENT\n\n\n                        AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                           CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n                       MANAGEMENT\'S CENTER FOR TALI:NT SERVICES GENERAL\n                                        SUPPORT SYSTEM\n                                                      FY 2011\n\n                                              WASHINGTON, D.C.\n\n\n\n\n                                        Report No. 4A\xc2\xb7CY\xc2\xb7OO\xc2\xb7ll\xc2\xb7043\n\n\n                                        Date:            9/28/11\n\n        This final audil report di scusses the results of our audit of the infonnation technology security\n        controls of the U.S. Office of Personnel Man agement \' s (OPIVI) Center for Talent Services\n        General Support System (CTS GSS). Our conclusions are detailed in the " Results" section of\n        this report.\n\n        Certification and Accreditation (C&A)\n        A security C&A o f CTS GSS was completed in July 2009. We reviewed the certification\n        package for aJ I required elements of a C&A, and determined that the package contained all\n        necessary documentation.\n\n        Federal Information Processing Standards (FIPS) 199\n        A FIPS 199 Analysis of CTS GSS was conducted in May 2009. We agree with the security\n        categorization o f moderate for CTS GSS.\n\n\n\n\n        www_ ocm,go~                                                                             www, usajob s .!:o.\n\x0cInformation System Security Plan (ISSP)\nThe ISSP for CTS GSS contains the critical elements required by National Institute of Standards\nand Technology (NIST) Special Publication (SP) 800-18.\n\nRisk Assessment\nA risk assessment was conducted for CTS GSS in August 2010 that addresses all the required\nelements outlined in relevant NIST guidance.\n\nIndependent Security Test and Evaluation (ST&E)\nAn independent ST&E was completed for CTS GSS as a part of the system\xe2\x80\x99s C&A process in\nMay 2009.\n\nAnnual Self-Assessment\nHRS conducted a thorough self-assessment of the security controls of CTS GSS in June 2010.\n\nContingency Plan\nA contingency plan was developed for the CTS GSS that is in compliance with NIST SP 800-34.\nHowever, the CTS GSS contingency plan has only been tested using tabletop exercises instead of\nthe functional exercise that is required in NIST SP 800-84.\n\nPrivacy Impact Assessment (PIA)\nA privacy threshold analysis (PTA) was conducted for the CTS GSS. The PTA revealed that\nCTS GSS does not require a PIA; we agree with this assessment.\n\nPlan of Action and Milestones (POA&M)\nThe CTS GSS POA&M follows the format of the OPM POA&M guide, and has been routinely\nsubmitted to the Office of the Chief Information Officer for evaluation.\n\nNIST SP 800-53 Evaluation\nWe evaluated the degree to which a subset of the IT security controls outlined in NIST SP 800-\n53 were implemented for CTS GSS. Although the majority of the tested security controls have\nbeen successfully implemented, several controls were not fully satisfied, including:\n\xe2\x80\xa2   The computer room that houses the CTS GSS does not have an automatic fire suppression\n    system as recommended in NIST SP 800-53.\n\xe2\x80\xa2   HRS does not have documented emergency response procedures or conduct annual\n    emergency response training as required in NIST SP 800-53.\n\n\n\n\n                                               ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n         I. Certification and Accreditation Statement ........................................................................4\n        II. Federal Information Processing Standards 199 Analysis .................................................4\n       III. Information System Security Plan ....................................................................................4\n      IV. Risk Assessment ...............................................................................................................5\n        V. Independent Security Control Testing ..............................................................................5\n      VI. Security Control Self-Assessment ....................................................................................6\n     VII. Contingency Planning and Contingency Plan Testing......................................................6\n   VIII. Privacy Impact Assessment ..............................................................................................8\n      IX. Plan of Action and Milestones Process .............................................................................8\n       X. NIST SP 800-53 Evaluation..............................................................................................8\nMajor Contributors to this Report ..................................................................................................12\nAppendix: Human Resources Solutions\xe2\x80\x99s July 15, 2011 response to the draft\n          audit report, issued June 21, 2011\n\x0c                                        Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107\xe2\x80\x91347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we audited the information technology (IT)\nsecurity controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Center for Talent\nServices General Support System (CTS GSS).\n\n                                        Background\nCTS GSS is one of OPM\xe2\x80\x99s critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perform an audit of IT security controls of this system, as well as all of\nthe agency\xe2\x80\x99s systems on a rotating basis.\n\nCTS GSS provides design, development, and operation of human resources systems for a variety\nof functions and customers across the government. OPM\xe2\x80\x99s Human Resources Solutions (HRS)\nis the organization responsible for the software development, maintenance, and operations of the\nsystems contained within the CTS GSS. The hardware supporting those systems is housed at\nOPM\xe2\x80\x99s Macon, Georgia facility.\n\nThis was our first audit of the security controls surrounding CTS GSS. We discussed the results\nof our audit with HRS representatives at an exit conference.\n\n                                          Objectives\nOur objective was to perform an evaluation of the security controls for CTS GSS to ensure that\nHRS officials have implemented IT security policies and procedures in accordance with\nstandards established by FISMA, the National Institute of Standards and Technology (NIST), the\nFederal Information System Controls Audit Manual (FISCAM) and OPM\xe2\x80\x99s Office of the Chief\nInformation Officer (OCIO).\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The audit objective was accomplished by reviewing the\ndegree to which a variety of security program elements have been implemented for CTS GSS,\nincluding:\n\n\xe2\x80\xa2   Certification and Accreditation Statement;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   Information System Security Plan;\n\xe2\x80\xa2   Risk Assessment;\n\xe2\x80\xa2   Independent Security Control Testing;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n                                                 1\n\x0c\xe2\x80\xa2   Privacy Impact Assessment;\n\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of HRS officials\nresponsible for CTS GSS, including IT security controls in place as of May 2011.\n\nWe considered the CTS GSS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of OPM\xe2\x80\x99s HRS division and other\nindividuals with CTS GSS security responsibilities. We reviewed relevant OPM IT policies and\nprocedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we\nconducted compliance tests to determine the extent to which established controls and procedures\nare functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of CTS\nGSS are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily\ndisclose all significant matters in the internal control structure, we do not express an opinion on\nthe CTS GSS system of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\n\xe2\x80\xa2   OPM Information Technology Security Policy Volumes 1 and 2;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   The Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\n\n                                                 2\n\x0c\xe2\x80\xa2   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\xe2\x80\xa2   Federal Information Processing Standards Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from March 2011 through\nMay 2011 in OPM\xe2\x80\x99s Washington, D.C. and Macon, Georgia offices. This was our first audit of\nthe security controls surrounding CTS GSS.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether HRS management of CTS GSS\nis consistent with applicable standards. Nothing came to our attention during this review to\nindicate that HRS is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                              Results\n I. Certification and Accreditation Statement\n    A security certification and accreditation (C&A) of the CTS GSS was completed in July\n    2009.\n\n    OPM\xe2\x80\x99s Acting IT Security Officer (representing the Office of the Chief Information Officer\n    or OCIO) reviewed the CTS GSS C&A package and signed the system\xe2\x80\x99s certification\n    package on July 7, 2009. The system\xe2\x80\x99s owner signed the accreditation statement and\n    authorized the continued operation of the system on July 13, 2009.\n\n    NIST SP 800-37 \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal\n    Information Systems,\xe2\x80\x9d provides guidance to federal agencies in meeting security\n    accreditation requirements. The CTS GSS C&A appears to have been conducted in\n    compliance with NIST requirements.\n\n    OPM\xe2\x80\x99s OCIO created and published guidance for preparing and conducting C&A\xe2\x80\x99s in\n    January 2011. These policies and procedures are now in effect for all OPM systems. While\n    the CTS GSS C&A was appropriately conducted in accordance with the guidance available\n    in 2009, we suggest that HRS review OPM\xe2\x80\x99s new C&A methodology and conduct a gap\n    analysis to ensure that they are prepared to conduct their 2012 C&A in accordance with the\n    new requirements.\n\nII. Federal Information Processing Standards (FIPS) 199 Analysis\n    FIPS Publication 199, Standards for Security Categorization of Federal Information and\n    Information Systems, requires federal agencies to categorize all federal information and\n    information systems in order to provide appropriate levels of information security according\n    to a range of risk levels.\n\n    NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories, provides an overview of the security objectives and impact\n    levels identified in FIPS Publication 199.\n\n    A FIPS 199 analysis of CTS GSS was conducted in May 2009 as part of the system\xe2\x80\x99s\n    Information System Security Plan (ISSP) development. The ISSP categorizes information\n    processed by the system and its corresponding potential impacts on confidentiality, integrity,\n    and availability. CTS GSS is categorized with a moderate impact level for confidentiality,\n    moderate for integrity, moderate for availability, and an overall categorization of moderate.\n\n    The security categorization of CTS GSS appears to be consistent with FIPS 199 and NIST SP\n    800-60 requirements, and we agree with the categorization of moderate.\n\nIII. Information System Security Plan\n    Federal agencies must implement on each information system the security controls outlined\n    in NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n\n                                                  4\n\x0c    Systems. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal\n    Information Systems, requires that these controls be documented in an ISSP for each system,\n    and provides guidance for doing so.\n\n    The ISSP for CTS GSS was created using the template outlined in NIST SP 800-18. The\n    template requires that the following elements be documented within the ISSP:\n\n    \xe2\x80\xa2   System Name and Identifier;\n    \xe2\x80\xa2   System Categorization;\n    \xe2\x80\xa2   System Owner;\n    \xe2\x80\xa2   Authorizing Official;\n    \xe2\x80\xa2   Other Designated Contacts;\n    \xe2\x80\xa2   Assignment of Security Responsibility;\n    \xe2\x80\xa2   System Operational Status;\n    \xe2\x80\xa2   Information System Type;\n    \xe2\x80\xa2   General Description/Purpose;\n    \xe2\x80\xa2   System Environment;\n    \xe2\x80\xa2   System Interconnection/Information Sharing;\n    \xe2\x80\xa2   Laws, Regulations, and Policies Affecting the System;\n    \xe2\x80\xa2   Security Control Selection;\n    \xe2\x80\xa2   Minimum Security Controls; and\n    \xe2\x80\xa2   Completion and Approval Dates.\n\n    The CTS GSS ISSP adequately addresses each of the elements required by NIST.\n\nIV. Risk Assessment\n    A risk assessment is used as a tool to identify security threats, vulnerabilities, potential\n    impacts, and probability of occurrence. In addition, a risk assessment is used to evaluate the\n    effectiveness of security policies and recommend countermeasures to ensure adequate\n    protection of information technology resources.\n\n    NIST SP 800-30, Risk Management Guide for Information Technology Systems, offers a\n    nine step systematic approach to conducting a risk assessment that includes: (1) system\n    characterization; (2) threat identification; (3) vulnerability identification; (4) control analysis;\n    (5) likelihood determination; (6) impact analysis; (7) risk determination; (8) control\n    recommendation; and (9) results documentation.\n\n    A risk assessment was conducted for CTS GSS in August 2010 that adequately addresses all\n    of the elements outlined in the NIST guidance.\n\nV. Independent Security Control Testing\n    A Security Test and Evaluation (ST&E) was completed for CTS GSS in May 2009 as a part\n    of the system\xe2\x80\x99s C&A process. The ST&E was conducted by a contractor, Network Security\n    Systems Plus Inc., which was operating independently from HRS. We reviewed the controls\n    within the scope of this test to ensure that they included a review of the appropriate\n\n                                                     5\n\x0c     management, operational, and technical controls required for a system with a \xe2\x80\x9cmoderate\xe2\x80\x9d\n     security categorization according to NIST SP 800-53 Revision 3, Recommended Security\n     Controls for Federal Information Systems.\n\n     The ST&E report labeled each security control as fully satisfied, partially satisfied, not\n     satisfied, not verified, or not applicable. Several controls were also identified as controls\n     inherited from OPM\xe2\x80\x99s                                                            Nothing came to\n     our attention to indicate that the security controls of CTS GSS have not been adequately\n     tested by an independent source.\n\nVI. Security Control Self-Assessment\n     FISMA requires that the IT security controls of each major application owned by a federal\n     agency be tested on an annual basis. In the years that an independent ST&E is not being\n     conducted on a system, the system\xe2\x80\x99s owner must conduct an internal self-assessment of\n     security controls.\n\n     HRS conducted a self-assessment of the system in June 2010. The assessment included a\n     review of the relevant management, operational, and technical security controls outlined in\n     NIST SP 800-53 Revision 3. Nothing came to our attention to indicate that the security\n     controls of CTS GSS have not been adequately tested by HRS.\n\nVII. Contingency Planning and Contingency Plan Testing\n     NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, states\n     that effective contingency planning, execution, and testing are essential to mitigate the risk of\n     system and service unavailability. OPM\xe2\x80\x99s security policies require all major applications to\n     have viable and logical disaster recovery and contingency plans, and that these plans be\n     annually reviewed, tested, and updated.\n\n     Contingency Plan\n     The CTS GSS contingency plan documents the functions, operations, and resources\n     necessary to restore and resume CTS GSS operations when unexpected events or disasters\n     occur. The CTS GSS contingency plan closely follows the format suggested by NIST SP\n     800-34 and is compliant with the required elements of the guidance.\n\n     Contingency Plan Test\n     NIST SP 800-34, Contingency Planning Guide for Information Technology Systems,\n     provides guidance for testing contingency plans and documenting the results. Contingency\n     plan testing is a critical element of a viable disaster recovery capability.\n\n     A simulated \xe2\x80\x9ctable top\xe2\x80\x9d test of the CTS GSS contingency plan was conducted by HRS\n     officials in April 2010. The simulation test involved reviewing a series of steps that must be\n     completed to recover the system in a predetermined disaster situation. The testing\n     documentation contained an analysis and review of the simulation results. We reviewed the\n     testing documentation to determine if the test conformed with NIST 800-34 guidelines.\n\n\n                                                    6\n\x0cWhile HRS conducts annual table top tests of the contingency plan, they have never\nperformed a functional disaster recovery exercise. A functional exercise would allow HRS to\nfurther validate their readiness for disruptive events by performing system restoration\nactivities in an operational environment. Since CTS GSS is a general support system that\nhouses five major OPM systems and eight minor systems, we believe that a functional\nexercise to test the contingency plan should be conducted annually.\n\nNIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\nCapabilities, Section 5.1, states that \xe2\x80\x9cOrganizations should conduct functional exercises\nperiodically; following organizational changes, updates to an IT plan, or the issuance of new\nTT&E [Test, Training, and Exercise] guidance; or as otherwise needed.\xe2\x80\x9d Failure to conduct\nfunctional contingency plan exercises prevents HRS from discovering unanticipated\ntechnical or logistical problems or limitations that could arise while restoring the CTS GSS at\nthe alternate location.\n\nRecommendation 1\nWe recommend HRS conduct a functional contingency plan test for the CTS GSS.\n\nHRS Response:\n\xe2\x80\x9cHRS concurs with the recommendation and will conduct a functional contingency plan\ntest for the CTS GSS during FY12.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that HRS provide Internal Oversight\nand Compliance (IOC) with evidence that it has conducted a functional contingency plan test.\n\nRecommendation 2\nWe recommend HRS coordinate with the system owners whose systems reside on the CTS\nGSS to encourage their participation in the functional contingency plan exercises.\n\nHRS Response:\n\xe2\x80\x9cHRS concurs with this recommendation and will coordinate the functional contingency\nplan test with system owners whose systems reside on the CTS GSS 60 days prior to the\nactual test.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that the HRS provide IOC with\nevidence that it has coordinated with the system owners whose systems reside on the CTS\nGSS.\n\n\n\n\n                                              7\n\x0cVIII. Privacy Impact Assessment (PIA)\n      The E-Government Act of 2002 requires agencies to perform a screening of federal\n      information systems to determine if a PIA is required for that system. OMB Memorandum\n      M-03-22 outlines the necessary components of a PIA. The purpose of the assessment is to\n      evaluate any vulnerabilities of privacy in information systems and to document any privacy\n      issues that have been identified and addressed.\n\n      HRS completed an initial privacy threshold analysis of CTS GSS and determined that a PIA\n      was not required for this system because it does not contain Personally Identifiable\n      Information (PII). Although several applications residing on CTS GSS servers contain PII,\n      the HRS staff supporting CTS GSS does not have access to this data.\n\n IX. Plan of Action and Milestones Process (POA&M)\n      A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n      monitoring the progress of corrective efforts for IT security weaknesses. OPM has\n      implemented an agency-wide POA&M process to help track known IT security weaknesses\n      associated with the agency\xe2\x80\x99s information systems.\n\n      The OIG evaluated the CTS GSS POA&M and verified that it follows the format of OPM\xe2\x80\x99s\n      standard template, and has been routinely submitted to OCIO for evaluation. We also\n      determined that the POA&M contained action items for all security weaknesses identified\n      through various security control tests and audits.\n\n      Nothing came to our attention to indicate that there are any current weaknesses in the\n      management of the CTS GSS POA&M.\n\n  X. NIST SP 800-53 Evaluation\n      NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n      Systems, provides guidance for implementing a variety of security controls for information\n      systems supporting the federal government. As part of this audit, we evaluated the degree to\n      which a subset of these controls had been implemented for CTS GSS, including:\n\n      \xe2\x80\xa2   AC-2 Account Management                       \xe2\x80\xa2   AC-5 Separation of Duties\n      \xe2\x80\xa2   AC-6 Least Privilege                          \xe2\x80\xa2   AC-11 Session Lock\n      \xe2\x80\xa2   AT-3 Security Training                        \xe2\x80\xa2   AT-4 Security Training Records\n      \xe2\x80\xa2   AU-2 Auditable Events                         \xe2\x80\xa2   AU-6 Audit Review, Analysis,\n                                                            Reporting\n      \xe2\x80\xa2   CA-7 Continuous Monitoring                    \xe2\x80\xa2   CM-2 Baseline Configuration\n      \xe2\x80\xa2   CM-3 Configuration Change Control             \xe2\x80\xa2   CP-3 Contingency Training\n      \xe2\x80\xa2   IA-1 Identification and Authentication        \xe2\x80\xa2   IA-2 Identification and Authentication\n          Policy and Procedures                             (Organizational user)\n      \xe2\x80\xa2   IA-5 Authenticator Management                 \xe2\x80\xa2   IR-2 Incident Response Training\n      \xe2\x80\xa2   IR-5 Incident Monitoring                      \xe2\x80\xa2   MA-1 System Maintenance Policy and\n                                                            Procedures\n\n                                                    8\n\x0c\xe2\x80\xa2   MA-2 Controlled Maintenance                     \xe2\x80\xa2   MP-6 Media Sanitization and Disposal\n\xe2\x80\xa2   PL-4 Rules of Behavior                          \xe2\x80\xa2   PE-1 through PE-18 Physical and\n\xe2\x80\xa2   PS-4 Personnel Termination                          Environmental Controls\n\xe2\x80\xa2   RA-5 Vulnerability Scanning                     \xe2\x80\xa2   SA-7 User-Installed Software\n\xe2\x80\xa2   SC-5 Denial of Service Protection               \xe2\x80\xa2   SC-13 User of Cryptography\n\xe2\x80\xa2   SI-2 Flaw Remediation                           \xe2\x80\xa2   SI-9 Information Input Restrictions\n\xe2\x80\xa2   PM-1 Information Security Program Plan\n\nThese controls were evaluated by interviewing individuals with CTS GSS security\nresponsibilities, reviewing documentation and system screenshots, viewing demonstrations of\nsystem capabilities, and conducting tests directly on the system.\n\nAlthough it appears that the majority of NIST SP 800-53 Revision 3 security controls have\nbeen successfully implemented for the CTS GSS, several tested controls were not fully\nsatisfied.\n\na) PE-13 Fire Protection\n    The CTS GSS computer room does not contain an automatic fire suppression system.\n    The CTS GSS currently relies on hand-held fire extinguishers located within the\n    computer room as their sole means of fire suppression. HRS stated that they have\n    completed an informal cost benefit analysis and concluded it would not be cost effective\n    to install an automated fire suppression system. The HRS Standard Operating Procedures\n    states that the organization has accepted the risk, but no formal documentation or analysis\n    has been created.\n\n    NIST SP 800-53 Rev. 3 requires that \xe2\x80\x9cThe organization employs and maintains fire\n    suppression and detection devices/systems for the information system that are supported\n    by an independent energy source.\xe2\x80\x9d One of the control enhancements for a moderate risk\n    system such as CTS GSS requires that \xe2\x80\x9cThe organization employs an automatic fire\n    suppression capability for the information system when the facility is not staffed on a\n    continuous basis.\xe2\x80\x9d While the Macon building is staffed on a continuous basis, we\n    observed that the computer room is often unoccupied.\n\n    Failure to implement an automatic fire suppression system increases the risk that a fire\n    could spread within the computer room before it could be extinguished by a person.\n    Also, it would be hazardous for a person to attempt to extinguish a fire with a handheld\n    fire extinguisher. This would greatly affect the availability of the applications that reside\n    on the CTS GSS.\n\n    Recommendation 3\n    We recommend HRS install a fire suppression system within the Macon facility\xe2\x80\x99s\n    computer room.\n\n\n\n\n                                                9\n\x0c   HRS Response:\n   \xe2\x80\x9cHRS employs and maintains a Johnson Controls IFC fire detection and alarm system\n   that is automatically activated in the event of a fire and has been duly inspected and\n   certified. Fire detection devices/systems include hand-held and wheeled fire\n   extinguishers, fixed fire hoses, and state-of-the-art laser smoke detectors. Having an\n   automatic fire suppression system increases the risk of the suppression agent causing\n   more damage to the equipment than an actual fire. There is minimal material in the\n   room that is combustible thus reducing the potential of a fire spreading. HRTT does\n   not currently employ automatic fire suppression devices due to cost and practicality\n   constraints. HRTT\xe2\x80\x99s strategy is to monitor closely and maintain a rapid response\n   capability to enable suppression in a surgical fashion in the event of a fire rather than\n   broadcast a fire suppression agent and affect the entire computer room, making all\n   systems there unreachable for an unacceptable period of time. HRTT has in place a\n   number of countermeasures to reduce the fire risk.\n\n    \xe2\x80\xa2   A Macon fire station is less than two miles away from the facility (Macon-Bibb\n        County Fire Department is A-1 rated).\n    \xe2\x80\xa2   The facility is staffed 24/7 by a security guard who is a state-certified,\n        professional law enforcement officer trained as a first responder that has access\n        to the computer room to manually activate the fire suppression mechanisms.\n    \xe2\x80\xa2   Existence of a laser smoke detection system in the computer room which employs\n        detectors that are multiple times more sensitive than normal smoke detectors and\n        trigger automatic alarms to the security staff.\n    \xe2\x80\xa2   Security guards also perform physical walk-through inspection of all areas every\n        2 to 4 hours.\n    \xe2\x80\xa2   The walls and ceiling of the computer room are made of reinforced concrete and\n        its doors are fire-resistant rated at 1200 degrees Fahrenheit for one hour.\n\n   HRS plans to conduct a cost-benefit analysis and formal risk assessment to evaluate\n   the costs and risks of implementing an automatic fire suppression system by the end of\n   FY12 Quarter 2.\xe2\x80\x9d\n\n   OIG Reply:\n   We continue to recommend that HRS install an automatic fire suppression system in the\n   Macon facility\xe2\x80\x99s computer room. However, we would consider supporting the closure of\n   this recommendation if HRS provides IOC with a thorough risk assessment or cost-\n   benefit analysis clearly illustrating that the costs and risks of implementing a fire\n   suppression system exceed the benefits. HRS would also need to provide IOC with an\n   approved official risk acceptance document.\n\nb) PE-1 Physical and Environmental Protection Policy and Procedure\n   Although the current employees at the OPM Macon facility have an informal\n   understanding of their roles and responsibilities when responding to an emergency, HRS\n   does not have any documented emergency response procedures and does not conduct any\n   formal emergency response training.\n\n                                            10\n\x0cNIST SP 800-53 Rev. 3 requires that an organization have \xe2\x80\x9cA formal, documented\nphysical and environmental protection policy that addresses purpose, scope, roles and\nresponsibilities, management commitment, coordination among organizational entities,\nand compliance\xe2\x80\x9d and \xe2\x80\x9cFormal, documented procedures to facilitate the implementation of\nthe physical and environmental protection policy and associated physical and\nenvironmental protection controls.\xe2\x80\x9d\n\nFurthermore, FISCAM requires that \xe2\x80\x9cStaff should be trained in and aware of their\nresponsibilities in preventing, mitigating, and responding to emergency situations\xe2\x80\xa6\ninformation on emergency procedures and responsibilities can be provided through\ntraining sessions and by distributing written policies and procedures.\xe2\x80\x9d\n\nFailure to establish documented emergency response procedures increases the likelihood\nthat personnel will not know how to respond in emergency situations within the computer\nroom. This issue is magnified by the fact there is no automatic fire suppression system in\nthe computer room as stated above.\n\nRecommendation 4\nWe recommend HRS document and implement formal emergency response procedures.\n\nHRS Response:\n\xe2\x80\x9cHRS concurs with the recommendation and will document and implement formal\nemergency response procedures by the end of FY12 Quarter 1.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that the HRS provide IOC with\nevidence that it has documented and implemented formal emergency response\nprocedures.\n\nRecommendation 5\nWe recommend HRS conduct annual emergency response training.\n\nHRS Response:\n\xe2\x80\x9cHRS concurs with this recommendation and will conduct annual emergency response\ntraining by the end of FY12 Quarter 2.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that the HRS provide IOC with\nevidence that it conducts annual emergency response training.\n\n\n\n\n                                         11\n\x0c                          Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2                       , Auditor in Charge\n\xe2\x80\xa2                   , IT Auditor\n\n\n\n\n                                              12\n\x0c\x0c                                                                                                                2\n\n        automatic fire suppression system increases the risk of the suppression agent causing\n        more damage to the equipment than an actual fire. There is minimal material in the room\n        that is combustible thus reducing the potential of a fire spreading. HRTT does not\n        currently employ automatic fire suppression devices due to cost and practicality\n        constraints. HRTT\xe2\x80\x99s strategy is to monitor closely and maintain a rapid response\n        capability to enable suppression in a surgical fashion in the event of a fire rather than\n        broadcast a fire suppression agent and affect the entire computer room, making all\n        systems there unreachable for an unacceptable period of time. HRTT has in place a\n        number of countermeasures to reduce the fire risk.\n\n              \xe2\x80\xa2   A Macon fire station is less than two miles away from the facility (Macon-Bibb\n                  County Fire Department is A-1 rated).\n              \xe2\x80\xa2   The facility is staffed 24/7 by a security guard who is a state-certified,\n                  professional law enforcement officer trained as a first responder that has access\n                  to the computer room to manually activate the fire suppression mechanisms.\n              \xe2\x80\xa2   Existence of a laser smoke detection system in the computer room which\n                  employs detectors that are multiple times more sensitive than normal smoke\n                  detectors and trigger automatic alarms to the security staff.\n              \xe2\x80\xa2   Security guards also perform physical walk-through inspection of all areas\n                  every 2 to 4 hours.\n              \xe2\x80\xa2   The walls and ceiling of the computer room are made of reinforced concrete and\n                  its doors are fire-resistant rated at 1200 degrees Fahrenheit for one hour.\n\n        HRS plans to conduct a cost-benefit analysis and formal risk assessment to evaluate the\n        costs and risks of implementing an automatic fire suppression system by the end of FY12\n        Quarter 2.\n\n    3. Section X. NIST SP 800-53 Evaluation, b) PE-1 Physical and Environmental\n       Protection Policy and Procedure\n\n        OIG Recommendation 4: We recommend HRS document and implement formal\n        emergency response procedures.\n\n        HRS Response: HRS concurs with the recommendation and will document and\n        implement formal emergency response procedures by the end of FY12 Quarter 1.\n\n        OIG Recommendation 5: We recommend HRS conduct annual emergency response\n        training.\n\n        HRS Response: HRS concurs with this recommendation and will conduct annual\n        emergency response training by the end of FY12 Quarter 2.\n\nIf you should need any additional information or have any questions, please contact\n\n\n\n\nwww.opm.gov       Recruit, Retain and Honor a World-Class Workforce to Serve the American People   www.usajobs.gov\n\x0c                                                                                                               3\n\ncc:\n\n\nSenior Team Leader\nOffice of Audits\nOffice of the Inspector General\n\nJanet Barnes\nDeputy Director\nInternal Oversight and Compliance\n\n\nManager\nHR Tools and Technology\n\n\nDesignated Security Officer\nHR Tools and Technology\n\n\nSenior Agency Information Security Officer\nOffice of the Chief Information Officer\n\nKathleen McGettigan\nDeputy Associate Director\nHuman Resources Solutions\n\nFrancis O\xe2\x80\x99H Esquivel\nDeputy Associate Director\nLeadership and Talent Management Solutions\n\n\n\n\nwww.opm.gov      Recruit, Retain and Honor a World-Class Workforce to Serve the American People   www.usajobs.gov\n\x0c'